PostHole
Compose
Login
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
Trend™ Research examines the complex collaborative relationship between China-aligned APT groups via the new “Premier Pass-as-a-Service” model, exemplified by the recent activities of Earth Estries and Earth Naga.
Cyber Threats
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
Trend™ Research examines the complex collaborative relationship between China-aligned APT groups via the new “Premier Pass-as-a-Service” model, exemplified by the recent activities of Earth Estries and Earth Naga.
By: Daniel Lunghi, Leon M Chang
Oct 22, 2025
Read time: ( words)
Save to Folio
Key takeaways
- “Premier Pass-as-a-Service” describes the emerging trend of advanced collaboration tactics between multiple China-aligned APT groups, notably Earth Estries and Earth Naga, that are making modern cyberespionage campaigns even more complex.
- The case study discussed in this blog entry shows the model in action between these two groups, with Earth Estries acting as an access broker to Earth Naga for continued exploitation. By sharing access, Earth Estries and Earth Naga further complicate detection and attribution efforts.
- Earth Estries and Earth Naga have persistently targeted critical sectors, especially government agencies and telecommunications providers, with operations spanning multiple regions. Earth Estries and Earth Naga's coordinated cyberespionage campaigns have recently focused on retail and government-related organizations in APAC.
- Trend™ Research has introduced a new four-tier framework that categorizes these different kinds of collaborative attacks and helps security practitioners better understand such collaborations.
With contributions from Joseph C Chen, Vickie Su and Lenart Bermejo
In the domain of cyberespionage, Trend™ Research has observed an emerging development in recent years: close collaboration between different advanced persistent threat (APT) groups of what looks like a single cyber campaign at first sight. This report highlights instances of such cooperation, where the APT group Earth Estries handed over a compromised asset to Earth Naga, another APT group also known as Flax Typhoon, RedJuliett, or Ethereal Panda. This phenomenon, which we have termed "Premier Pass," represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors.
Attributing cyberattacks to specific threat actors is inherently complex, often relying on a blend of techniques such as malware analysis, network traffic analysis, examination of tactics, techniques, and procedures (TTPs) and victimology. However, the rise of collaborative operations, such as those exemplified by Earth Estries and Earth Naga, introduces additional layers of difficulty in attribution. These operations challenge traditional methods by involving multiple intrusion sets, complicating the identification of responsible parties.
This report will delve into the intricacies of this emerging trend, focusing on:
- A comprehensive analysis of the Premier Pass case, where Earth Estries facilitated access for Earth Naga, showcasing a sophisticated level of inter-group cooperation.
- The introduction of a four-tier framework to define and categorize modern collaborative attacks among China-aligned APT groups.
- Insights into the attribution challenges posed by these collaborative operations, emphasizing the need for cyber threat intelligence (CTI) researchers to look beyond mere process chain overlaps.
The collaboration discussed in this case study between Earth Estries and Earth Naga marks a pivotal shift in the landscape of cyberespionage, demanding a re-evaluation of attribution strategies and highlighting the intricate web of alliances within the cyber threat landscape.
Earth Estries and Earth Naga victimology
Earth Estries has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific region, and the Middle East. In the past two years, we have also observed the group expanding its targeting to regions such as South America and South Africa.
Earth Naga has been actively targeting high-value organizations across strategic sectors since at least 2021. Primary targets include government agencies, telecommunications, military-related manufacturers, technology companies, media outlets and academic institutions, with a concentrated focus on entities based in Taiwan (Table 1).
In addition to its operations in Taiwan, Earth Naga has extended its reach to selected organizations in the broader APAC region, as well as in NATO member countries and Latin America, indicating a growing interest in global intelligence collection.
****************************************
| Intrusion set | Targeted industry | Targeted region | Date |
|---|---|---|---|
| Earth Estries / Earth Naga (Premier Pass) | Retail company | APAC | November 2024 |
| Earth Estries / Earth Naga (Premier pass) | Government agency | Southeast Asia | March 2025 |
| Earth Estries and Earth Naga (separate compromises) | Telecommunications provider | APAC | April 2025 |
| Earth Naga | Information service provider | Taiwan | April 2025 |
| Earth Estries and Earth Naga (separate compromises) | Telecommunications provider | NATO country | July 2025 |
Table 1. Recent campaigns involving Earth Estries and Earth Naga
Evidence of access broker activities by Earth Estries
Our investigation indicates that Earth Estries operated as an access broker in some campaigns. Specifically, evidence of shared access behavior was identified in the TrillClient attack chains attributed to Earth Estries.
Collaboration between multiple intrusion sets is not unheard of, but we believe there are multiple categories that can be used to describe these types of incidents. Therefore, we will introduce multiple types we know about later in this report.
In two distinct organizational environments that have been persistently targeted by Earth Estries, we identified evidence suggesting that Earth Estries shared access to Earth Naga. This activity indicates a possible operational linkage or access-sharing arrangement between the two threat groups, which may reflect strategic collaboration within a broader threat ecosystem.
The first instance was identified in November 2024, involving a major mobile retail company in the APAC region, where Earth Estries appeared to have provided access to Earth Naga. In addition, our telemetry data reveals that Earth Estries attempted to share access with Earth Naga as early as late 2023. However, Earth Naga’s toolset was detected and blocked by our product during deployment. Therefore, we didn’t observe any network traffic with known Earth Naga command-and-control (C&C) infrastructure at that time.
Subsequently, we identified a second instance of shared access in March 2025, this time involving a government agency in Southeast Asia. Further analysis and indicators related to this case are included in following section.
Earth Estries and Earth Naga’s joint operation
Figure 1 illustrates the attack infection chain we have constructed based on incidents observed within a Southeast Asian government entity earlier this year. These events, which bear strong ties to the activities of Earth Estries and Earth Naga, offer insights into the TTPs employed by these intrusion sets in recent campaigns.
[Figure 1. The overview of infection chain observed in multiple infected machines]
[...]